Trust is the product
We ask for access to your core systems — your CRM, your inbox, your data. That access is the whole relationship, so we treat it accordingly: least-privilege, fully logged, encrypted, and revocable. We treat your data like it's our own, because you're trusting us with it.
Security principles
Six commitments that govern every integration we build — and the reason gatekeepers hand us the keys.
Least-privilege access
We connect with the minimum scopes a workflow needs — never blanket access. You can see exactly what the system can touch, and revoke it any time.
Full audit logging
Every action an agent takes is logged. You get observability into what the system did, when, and to which record.
Encryption end to end
Data is encrypted in transit and at rest. Secrets are managed, not hard-coded; access is scoped and rotated.
Human-in-the-loop by design
AI handles volume and tier-one; people handle judgment. We design the handoff so sensitive decisions stay with your team.
RBAC & governance
Role-based access control on integrations (Scale and up), with SSO and custom DPA available on Operate.
SOC 2 roadmap
We're building toward SOC 2, with compliant deployment options (BAA where applicable) for gated verticals.
How the system is built
Precise, sober, and honest about what's live vs. planned. We won't claim a control we don't have.
Authentication & access
SSO-first (Google / Microsoft OIDC) for the client portal, MFA enforced for admin roles, step-up auth for sensitive actions, and server-side revocable sessions.
Authorization (RBAC) & isolation
Role-based access control enforced server-side — never trusted from the client — with every query scoped to your organization to prevent cross-tenant reads.
Data protection
TLS 1.2+ in transit with HSTS; AES-256 at rest. Integration tokens and secrets get field-level encryption, keyed by a KMS-managed master key stored apart from the data.
Least-privilege integrations
We request the narrowest scopes each automation needs, you provision access, it's documented in the SOW — and it's revocable at any time.
AI data handling
We don't use your data to train general-purpose or third-party AI models, and we configure providers to exclude it. Defined exceptions escalate to a human.
Audit & observability
An append-only audit log (actor, action, before/after, IP, timestamp) on every change, with alerting on auth failures and error spikes. No secrets or PII in logs.
Stated plainly
What's live today and what's on the roadmap — labelled, never overstated.
We never represent SOC 2 compliance until an audit is complete. Where a vertical requires it (healthcare/HIPAA, finance), we deploy only with the right posture — a BAA and a compliant configuration.
What we'll share, and how to reach us
Security Overview
A customer-facing description of our controls for your security team — shared on request, verified against the live system.
Data Processing Agreement (DPA)
Processor terms for personal data, with subprocessor list and data-residency options (Operate). Reviewed by counsel.
Subprocessor list
Hosting, CRM, analytics, email, AI model providers, and scheduling — under contract and only as needed.
Per-integration scopes
Exactly which permissions each automation requests against your tools, so there are no surprises.
Security questions, or a vulnerability to report? Reach our security team at security@conduit.ai or via Contact. Evaluating an integration? Ask us for the Security Overview and DPA early — we'd rather lead with it.
Requires legal review: the binding Data Processing Agreement, subprocessor list, and customer Security Overview are reviewed by counsel and verified against the live system before they're shared. Each security claim on this page is stated as live or planned; planned controls are not represented as in place.